Bug 137992

Summary: CachedFrame::destroy can detach the page from frames too soon
Product: WebKit Reporter: Vicki Pfau <jeffrey+webkit>
Component: HistoryAssignee: Vicki Pfau <jeffrey+webkit>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: ahmad.saleem792, ap, beidson, bfulgham, ddkilzer, kling, rniwa
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch ap: review-

Description Vicki Pfau 2014-10-22 17:38:27 PDT 
CachedFrame::destroy contains code that will detach the page, sometimes too soon, causing crashes or assertion failures when teardown code for frames assumes there is still an attached page.

<rdar://problem/18550647>
Comment 1 Vicki Pfau 2014-10-22 17:40:18 PDT 
Created attachment 240313 [details]
Patch
Comment 2 Alexey Proskuryakov 2014-10-22 19:44:40 PDT 
Comment on attachment 240313 [details]
Patch

This appears to break tests:

  fast/loader/image-in-page-cache.html [ Crash Timeout Pass ]
  fast/frames/frame-crash-with-page-cache.html [ Timeout ]
Comment 3 Ahmad Saleem 2022-08-08 16:05:22 PDT 
I can see the following code being present in Webkit source from Github:

https://github.com/WebKit/WebKit/blob/75043d22e2b75e0018914f38ab381214f048dba2/Source/WebCore/history/CachedFrame.cpp#L261

Although line order is different and it was done in this commit:

https://github.com/WebKit/WebKit/commit/8506cd994976591f9a1db0dc5c10fc698768687f#diff-24fdd2b5535690eeec8038c328da95c097199ec9f376593c366505033eb18931

Considering this change landed in one way or form, I am going to mark this bug as "RESOLVED WONTFIX". Thanks!